On Friday May 8th, Global Pulse hosted a workshop on data privacy and security in technology-enabled development projects and programmes, as part of a series of events about the Nine Principles for Digital Development.
In recent years, ICTs such as mobile phone apps, web-based mapping technologies and data-mining techniques have been incorporated into numerous development programmes. Alongside recognition of the opportunities presented by these innovations, there are valid concerns related to protecting privacy and data security. In this context, Principle 8, “Ensuring Data Privacy and Security,” of the Principles for Digital Development proposes that ICT4D programmes and projects should:
- Assess and mitigate risks to the security of users and their data
- Consider the context and needs for privacy of personally identifiable information when designing solutions and mitigate accordingly
- Ensure equity and fairness in co-creation, and protect the best interests of the end-users.
The workshop was held at UN Headquarters in New York, and was designed to encourage an exchange of expertise and practical experience. Colleagues from UN Agencies including UN OCHA, UNDP, UNICEF, UNFPA and UNHCR were in attendance, alongside development practitioners from organizations including Dimagi, Internews, ThoughtWorks, and Medic Mobile. Experts from academia including NYU, Oxford, Columbia, and MIT as well as private sector representatives including Microsoft, MasterCard, and IMS Health also attended and participated in the discussions.
The objective of the day was to refine the understanding of privacy and data security concepts, and exchange experiences, common challenges and solutions for how to incorporate data-securing and privacy-protecting measures into development programs.
The event included two interactive discussion sessions on data privacy and security, followed by breakout groups focusing on real world applications and challenges related to Principle 8.
To start of the morning, Robert Kirkpatrick, Director of UN Global Pulse opened the floor, stating that privacy must be “..an inseparable element of all technology-based projects.” Merrick Schaefer, of USAID explained the origins and purpose of the ICT4D principles. Two discussion sessions were lead by representatives from UN OICT, ITU, Dimagi, Access Now, ESOMAR, MIT and UN Global Pulse who presented experiences drawn from their own organizations’ practices in ICT4D. Finally, experts from Leiden University, Data & Society Research Institute, Benetech, UN OCHA and MasterCard helped to facilitate deep-dive discussions on developing and enhancing the privacy and security landscape in ICT4D, during the afternoon breakout sessions.
Session 1: Data Privacy Policies
This session focused on data privacy from a policy perspective, examining organisational accountability and responsible information governance.
In a panel moderated by Mitch Toomey, Director of UN Millennium Campaign, speakers identified challenges associated with the use of information. Identified challenges included: a fragmented regulatory landscape; establishing user control and consent; allocating responsibility in a complex ICT4D ecosystem and the Internet of Things (IoT); lack of transparency; risks of using data for incompatible purposes; an absence of some required security & technology solutions; gaps in accountability and problems in implementation of privacy policies.
Distinctions between data privacy and data protection were explained, drawing from the Charter of Fundamental Right of the European Union, Article 7 and 8. The critical importance of consent was discussed – in particular diffrentiating “Consent” as being different from “Understanding” and “Choice”.
Micah Altman of MIT gave an introduction on Data Privacy and Information Security. Dr Altman explained the differences between the core concepts of data privacy and data security. He suggested that Privacy is control over extent and circumstances of sharing, Security and Confidentiality is control over disclosure of information. While talking about main challenges in the big data world, Dr. Altman also suggested that anonymization, employed to protect privacy, can often result in the undesirable effect of reducing utility.
Peter Micek of Access Now cautioned that, in a development or non-profit context, some organizations may not believe they are "interesting enough" to be a target for attack or a breach. However, the information being collected by organizations, especially if related to marginalized communities, should be treated as potentially valuable to adversaries. Mr Micek highlighted that in 2014 US civil society saw remarkable strides with the Civil Rights Principles for the Era of Big Data and 2015 should see more work on the ethics surrounding the use of big data, which he felt has become a pressing international issue. He suggested that the principles included in the Telco Action Plan developed by AccessNow could also be used and implemented by the development organizations.
Kathy Joe of ESOMAR (a market research organisation) presented on their Data Protection Checklist. ESOMAR's checklist list emphasises accessibility and translates data privacy regulations into easy to understand concepts and terms used within the industry. Ms Joe explained that the checklist has been adopted to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The guidelines cover issues such as notice and consent, integrity and security, transfer of data and the concept of minimum impact.
Mila Romanoff of UN Global Pulse shared her organisation’s main practices and privacy principles for big data innovative projects, explaining that an important component of each project is conducting a privacy risk assessment. Ms Romanoff outlined Global Pulse’s risk, harms and benefits assessment framework – stressing the importance of proportionality of data use principle to the purpose of the project. She highlighted that it is important to not only assess the likelihood and magnitude of possible risks and harms, but to also ensure that benefits, their likelihood and potential beneficiaries are considered. She stressed the critical importance of consent and commitment to not re-identifying previously anonymized data. Looking beyond Global Pulse’s own practices, Ms Romanoff talked about the need to help catalyse the global development community to safeguard data protection and privacy. For that reason the Global Pulse Privacy Advisory Group has been established, the group is a transparent, inclusive and geographically balanced forum on privacy.
In summary the session highlighted how fundamental human rights can be affected if privacy is not considered proactively. Speakers recommended that development organizations’ practices should be built on the minimum principles of lawfulness and fairness, purpose specification, access, data minimization, non-discrimination, data integrity and accuracy, ensuring proper security measures. These principles are already acknowledged in the Guidelines for the Regulation of Computerized Personal Data Files adopted by General Assembly resolution 45/95 on 15 December 1989, and contained in document E/CN.4/1990/72 and the Madrid Resolution.
Session 2: Data Security Practices
This session focused on best practices and mechanisms for information security from a data engineering standpoint. Participants shared examples and best practices from their own organisations in developing a secure IT environment for safe information handling.
In the panel moderated by Linda Raftree of Kurante, presenters highlighted the fact that most web sites, databases, applications, etc. are vulnerable to attacks and security breaches resulting from easy passwords, poor management, not updating software or untrained personnel. Among other things, the panelists stressed the importance of aggregation and encryption when it comes to sensitive information. Interestingly, several comments were made indicating that there is still a lack of unified information in security standards.
Thomas Braun, of UN Office of ICT talked through UN OICT security practices and public web site security, including "minimum" Web Security standards where he stressed that proper procedural and technical controls need to be employed to ensure protection from authorised users, or from users exceeding their authorisation. Testing the security of websites before going live, along with maintaining security updates is critical. Mr Braun stressed that Web Application security is easy if considered from the beginning of a project and not as an ad-on.
Clayton Sims of Dimagi spoke about practical implications and concerns for security in ICT project implementations, in particular for Mobile and Cloud Systems. Mr Sims pointed out that a lot of software features are not very secure and that encryption, use of SSL authentication and implementation of security features from the start, is critical. Mr Sims also said that while data aggregation is important, it can also be dangerous since not all data can eventually be disaggregated, thus losing some value for socially useful causes.
Gary Fowlie of ITU Liaison Office to the United Nations talked through ITU’s Cloud Computing Guidelines and ITU’s Technology Watch Report on the challenges posed by cloud computing and the importance of Privacy Enhanced Technologies (PETs).
Breakout Groups
Participants divided up into breakout sessions on the following topics:
Developing a Privacy Policy
The first breakout group, facilitated by Jos Berens of Leiden University, considered the essential principles and steps to take and consider in a privacy policy. The goal of this group was to identify key points to include in the design of a privacy policy for the implementation of ICT4D projects. Sheryl-Ann Yarmuder from MasterCard presented on her organisation's approach.
Developing a Harms, Risks and Benefits Framework
The second breakout group, facilitated by Mr Mark Latonero, Data & Society Research Institute, discussed potential harms, risks and benefits of ICT4D projects. The goal of this group was to identify potential harms, risks and benefits, when planning and conducting an ICT4D project. Lilian Barajas and Cara Wolinsky of OCHA presented on their organisation's approach.
Good Information Security Practices
The third breakout group, facilitated by Mr Enrique Piraces, Benetech, discussed critical information security considerations for building secure apps, maps and websites. The goal of this group was to identify best practices, mechanisms and technology solutions in information security in ICT4D projects.
Considering the recent establishment of the mandate for a UN Special Rapporteur on the right to Privacy, the event was closed by remarks of the UN Special Rapporteur on the Right to Freedom of Expression. Mr David Kaye stressed the importance of the Right to Privacy in the digital age. He suggested that it is of utmost importance that development sector employs proper and stricter data protection measures to ensure that privacy is respected at all times.
A full agenda of the event can be downloaded here (pdf).
Top image: A breakout session on data security at the Workshop on Improving Privacy and Data Security in ICT4D Projects